Portable Malware Lab for Beginners – Part 2

Ethical Hacking Training

Our students have the highest exam pass rate in the industry!

Skillset

In the previous article, “Portable Malware Lab for Beginners,” I spoke about nested virtual machines, i.e., deploying a virtual machine with QEMU and Cuckoo. This acts as a base system for our portable malware analysis lab.

However, malware analysis is not limited to execution of a Windows binary; various other aspects are also involved. The main goal of malware is to gain privilege rights into the system which it intends to infect. In order to do so, various methods are used, e.g.:

Transmission via email.

Infection via web pages or hacked web servers.

Infection via removable media.

One may come across many email attachments containing a malicious file. It can either be a zip file that may contain an exe, a pdf, or, in some cases, a Word file/spreadsheet. It should also be noted that malware authors will always try to mask the icons of the files to make them look like they belong to a specific application, e.g., a PDF icon for a binary. They may also make use of right-to-left override Unicode characters to spoof the file extension as shown below.

However, the most interesting of this lot is infection via web browser. In order to facilitate such infections, infection through the browser is the most common occurrence, wherein JavaScripts, Applets, JARs, and Flash objects are used extensively.

However, we will first go through with the deployments of ssdeep and yara. These tools will be helpful as you complete the integration of your portable malware lab. As said in the earlier article, the portable malware lab is not just as an amalgamation of different tools; it is intended to help you build a system that will contain all the tools necessary for analyzing malware. The output of several tools can also be integrated with other tools to provide a better overview of the behavior of malware.

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA, you can create descriptions of malware families based on textual or binary patterns contained in samples of those families. Each description consists of a set of strings and a Boolean expression that determines its logic.

SSDEEP is a program for computing context-triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.

In order to analyze JavaScripts we may use Google’s V8 engine or Rhino for parsing. In this tutorial, we will deploy both Rhino and V8 on our portable lab. However, as Rhino is based on Java, we also need to deploy Java libraries to ensure its smooth functioning.

When speaking about web-based threats, it is imperative for us to deploy a honey-client that will emulate your browser and provide you with better insights into the web-based threats. These threats are mostly in form of embedded I-frames or obfuscated JavaScripts embedded within the web page or an applet.

The best emulator for various browsers is Thug, which is based on Google’s V8 JavaScript engine.

Thug is a Python low-interaction honey-client based on a hybrid static/dynamic analysis approach.

Thug makes use of the Google V8 JavaScript engine wrapped through PyV8 in order to analyze malicious JavaScript code and the Libemu library wrapped through Pylibemu in order to detect and emulate shell codes.

For analyzing PDF documents, peeppdf is the tool. Peeppdf is a Python-based tool that will assist the researcher in knowing about a PDF without the need for any additional tools. Since peeppdf uses V8 and Pylibemu, it also provides wrappers for JavaScript and Shell code analysis.

During the installation of Thug, we have already deployed V8 and pylibemu, so we need not go through the entire process once again. However, for peeppdf to provide all the mentioned functionality, “lxml” is the required package that needs to be deployed.

While researching, it is quite possible that researchers will come across a variety of samples and they need not be of the same file type. Static analysis is as important as dynamic analysis and this is where Bokken, Radare, and Pyew help us. It is basically a GUI front end for Pyew and Radare projects.

Pyew

Pyew is a malware analysis tool developed in Python that provides a variety of features, including viewing HEX, disassembly, PE and ELF file formats, and code analysis. It also allows you to write scripts.

Radare

Radare, on the other hand, is used for disassembling, debugging, and a variety of tasks.

Since we are using a Linux system and there are numerous Windows programs that are actively being used for analyzing malware, let’s deploy WINE, a windows emulator. By deploying WINE, we will be in a position to use a few of the Windows tools that are being used by researchers. However, there are certain limitations to their use, depending on the packages you have selected to use with WINE.

# apt-get install wine
# wine --version
wine-1.4

Now that we have deployed WINE, the first Windows application that we download and deploy is Malzilla. According to the author, it’s a malware hunting tool. However, to summarize the usefulness of Malzilla in a sentence wouldn’t be possible. Since most of the present day malware and exploits are browser-based, Malzilla offers an excellent platform to analyze and reverse-engineer these types of malwares.

Download Malzilla from the below mentioned location and extract the contents from an archive. No installation is required.

Another Windows-based tool that is excellent for deobfuscating JavaScripts is “ReveloJS,” written by Kahu Security. Extensive tutorials and examples have been made available for this tool. To read more about it and to download it, visit this link. The download link is at the end of the article.

WINE will proceed with the further execution of the executable and the rest of the installation is just like any other Windows application installation.

Summary

These two articles were created with an intention of assisting you create your own malware analysis lab in portable mode. Since this is heavily dependent on virtual machine, it is recommended that you ensure that proper backups of all the virtual hard disks are maintained.

Also, there are numerous tools available for *nix/Windows that have not been included, but they can always be used within this environment, either by utilizing the power of WINE; or, by using the method described to implement nested VMs, one can very well deploy an MS Windows OS and the Windows-specific tools.

Note: IDA Pro and Ollydbg function best within the MS Windows environment.

Aparajit i has worked in IT Security for more than 10 years with varied experience. Finding newer methods for detection of malware is a passion. Spare time is reserved for tracking botnets, CnC servers and writing articles for Infosec. Contact via Twitter : @iaparajit

Unable to install swfinvestigator using the above instructions. During install, I got: err:module:import_dll Library mscms.dll (which is needed by L”C:\\users\\root\\Temp\\AIR442c.tmp\\Adobe AIR\\Versions\\1.0\\Adobe AIR.dll”) not found
Strange, since mscms.dll is from Microsoft Color Matching System DLL. It should be on any windows system in System32. Taking one from Win7, gives the next error:
err:module:import_dll Library API-MS-Win-Core-LocalRegistry-L1-1-0.dll (which is needed by L”Z:\\root\\Downloads\\mscms.dll”) not found. Copied it from Win7’s system32.
Then it tells me that it needs AdobeAir. When I downloaded AdobeAir and tried to install it with winde, it told me that it needed a verison Air that wasn’t found (however, I was installing the 32 bit win xp/win7 version). Can’t seem to get around this. (Not even if I extract the Adobe AIR.dl from the Air install exe, and put it in the install directory).

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

− = 0

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam